The Group Admin Role Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
The Group Admin Role
Published: Feb 14, 2018   -   Updated: Jun 22, 2018




The Group Admin Role

The Group Administrator role stands apart from the other admin roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groups of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group.

Note: This feature only applies to groups created in Okta.

Uses for this role might be a franchise, where each location needs to silo and control their location-specific teams. Each franchise would need to create and manage their own data without affecting or being affecting by the others. Another example might be a company that owns many distinct product brands. One “umbrella” company owns them, but each brand has some homegrown and unique departments that have no relation to the other brands.

Guidance Structuring Okta Groups

Getting the most out of this role requires careful selection of Okta groups. The groups you create and choose should reflect your organization's structure or boundaries of control.

Another good practice is to grant one admin role per admin. Having said that, there are cases where customers might need to assign multiple administrator roles to a single admin. One example might be combining an App Admin role and a Group Admin role. Since the Group Admin is the only role defined by groups, adding the App Admin role can expand the admins view and edit permissions without compromising security issues. For this reason, Okta supports combining admin permissions.

Admins only receive notifications about locked-out users who are in the group, or groups that the admin manages.

Group Administrator Permissions

The Group Administrator role has a fixed set of permissions, but there are also restrictions on what this role can do.

Group Admins have the following permissions:

  • Create new users in groups that they manage

  • Remove people from groups that they manage

  • Add users in groups they manage to other groups they manage

  • Rename groups they manage

  • Deactivate users

  • Activate users

  • Reset user passwords

  • Reset user multifactor authentication options

  • Edit user profiles

  • Unlock users

  • Suspend users
  • Use the Reveal password button to expose restricted passwords set by Super or App Admins roles.

Group Admins have the following restrictions. They cannot

  • Create or delete groups

  • Directly assign apps to users or groups

  • Initiate directory or app imports

  • View or modify users outside of their assigned groups

Set Up a Group Administrator

To create and configure the Group Admin role, do the following:

  1. From the Administrative Dashboard, go to Security > Administrators.

  2. Click the Add Administrator button.

In the resulting dialog box, do the following

  1. Type an administrator name into the Grant Administrator Role to field.

  2. Select the Group Administrator role.

  3. Select Can administer user in specific groups (recommended).

  4. Type in the group name of the Okta groups the admin will control. Note that only Okta groups appear.

  5. Select the Add Administrator button below your selections to complete the assignment.
Edit an Administrator

On the Security > Administrator page, select the pencil icon to edit an administrator or the X icon to delete an administrator. If you delete an administrator, you are revoking all administrator privileges, but not deleting the individual user.

For more information, see Administrators.